Introduction
Data security is a worldwide problem, and there is a wide world of encryption solutions available
to help solve this problem. Most of these products are developed and sold by for-profit entities,
although some are created as free open-source projects. They are available, either for sale or free
download, all over the world.
In 1999, a group of researchers from George Washington University attempted to survey the
worldwide market for encryption products [HB+99]. The impetus for their survey was the
ongoing debate about US encryption export controls. By collecting information about 805
hardware and software encryption products from 35 countries outside the US, the researchers
showed that restricting the export of encryption products did nothing to reduce their availability
around the world, while at the same time putting US companies at a competitive disadvantage in
the information security market.
Seventeen years later, we have tried to replicate this survey.

Findings
We collected information on as many encryption products as we could find anywhere in the
world. This is a summary of our findings:


We have identified 865 hardware or software products incorporating encryption from 55
different countries. This includes 546 encryption products from outside the US, representing
two-thirds of the total. Table 1 summarizes the number of products from each country.



The most common non-US country for encryption products is Germany, with 112 products.
This is followed by the United Kingdom, Canada, France, and Sweden, in that order.



The five most common countries for encryption products—including the US—account for
two-thirds of the total. But smaller countries like Algeria, Argentina, Belize, the British
Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, St. Kitts and Nevis, Tanzania, and
Thailand each produce at least one encryption product.



Of the 546 foreign encryption products we found, 56% are available for sale and 44% are
free. 66% are proprietary, and 34% are open source. Some for-sale products also have a free
version.



We identified 587 entities—primarily companies—that either sell or give away encryption
products. Of those, 374, or about two-thirds, are outside the US.

The 546 foreign encryption products compare with 805 from the 1999 survey. These
numbers are really lower bounds more than anything else, as neither survey claimed to be
comprehensive. Very few of the products from the 1999 survey appear in the current one,
illustrating how much this market has changed in 17 years.



The potential of an NSA-installed backdoor in US encryption products is rarely mentioned in
the marketing material for the foreign-made encryption products. This is, of course, likely to
change if US policy changes.



There is no difference in advertised strength of encryption products produced in or outside
the US. Both domestic and foreign encryption products regularly use strong published
encryption algorithms such as AES. Smaller companies, both domestic and foreign, are
prone to use their own proprietary algorithms.



Some encryption products are jurisdictionally agile. They have source code stored in
multiple jurisdictions simultaneously, or their services are offered from servers in multiple
jurisdictions. Some organizations can change jurisdictions, effectively moving to countries
with more favorable laws.

We do not believe that we have cataloged every encryption product available to the general, nongovernmental, customer. In fact, we are sure we could find dozens more if we continued to
search. This list is a work in progress, and will be updated as additional information is received.
The most current version of the paper will be available at the following URL:
https://www.schneier.com/paper-worldwide.html

Methodology
We collected our list of encryption products through a variety of means. Initially, we announced
the survey on the popular security blog Schneier on Security and the Crypto-Gram newsletter,
with over 250,000 readers [Sch15a]. People were invited to submit security products to the
survey. We published an early draft of the survey on the same blog and newsletter, and invited
readers to submit additions and corrections [Sch15b]. Collectively, this process resulted in a
listing of about 600 products. We identified additional products by cross-checking various lists
on Wikipedia (e.g., comparisons of disk encryption software, encrypted external drives, IM
clients and protocols, VoIP software, web search engines, and security-focused operating
systems) and elsewhere online (e.g., Electronic Frontier Foundation, ProPublica, Guardian
Project, TorrentFreak). We also located products via general web searching and browsing the
Android Play Store, Apple Store, and GitHub. People e-mailed us with product names and
descriptions.

2

Information about the different encryption products were largely collected from the products’
respective websites, although occasionally we talked directly with the companies or individuals
responsible. We assigned countries to products based on the information we found. Companies
are headquartered in particular countries. Open-source development teams are often managed
from one country, or have a contact address. Sometimes we had to do some sleuthing, such as
looking up the country in which the product’s domain was registered. Sometimes we came up
empty; for fifteen products we could not assign a country.
We do not claim that these numbers are anything other than a lower bound on the number of
encryption products available worldwide. Considerable effort was expended to ensure that the
list is complete and accurate, although we have no illusions that we were entirely successful. In
fact, we know this list is incomplete. We were adding entries up until the very last minute, and
could easily continue. We have done enough searching on repositories like app stores and
GitHub to realize that we could spend another few weeks trawling them for more products and
projects. Even so, we believe we have captured most of the encryption market at this time.
Table 1: Countries and Products
Algeria—1

Gibraltar—2

Romania—4

Argentina—1

Hong Kong—6

Russia—17

Australia—21

Hungary—3

Saudi Arabia—3

Austria—8

Iceland—6

Seychelles—7

Belgium—2

India—9

Singapore—5

Belize—1
Brazil—3

Iraq—1
Ireland—4

Slovakia—2
South Korea—3

British Virgin Islands—1

Israel—9

Spain—7

Bulgaria—1

Italy—19

St. Kitts and Nevis—1

Canada—47

Japan—9

Sweden—33

Chile—1

Malaysia—1

Switzerland—25

China—6

Moldova—3

Taiwan—3

Cyprus—1

Netherlands—19

Tanzania—1

Czech Republic—8

New Zealand—4

Thailand—1

Denmark—2

Norway—4

Ukraine—2

Estonia—1

Panama—4

United Arab Emirates—3

Finland—9

Philippines—2

United Kingdom—54

France—41

Poland—3

United States—304

Germany—112

The Quality of Foreign Encryption Products
Based on the marketing materials we read, there is no reason to believe that foreign-designed or
foreign-developed encryption products are any worse (or better) than their US counterparts.
Cryptography is very much a worldwide academic discipline, as evidenced by the quantity and
quality of research papers and academic conferences from countries other than the US. Both
recent NIST encryption standards—AES and SHA-3—were designed outside of the US, and the
3

submissions for those standards were overwhelmingly non-US. Additionally, the seemingly
endless stream of bugs and vulnerabilities in US encryption products demonstrates that
American engineers are not better their foreign counterparts at writing secure encryption
software. Finally, almost all major US software developers have international teams of
engineers, both working in the US and working in non-US offices.
To be sure, we do not believe that either US or non-US encryption products are free of
vulnerabilities. We also believe that both US and non-US encryption products can be
compromised by user error. What we do believe is that there is no difference in quality between
the two. Both use the same cryptographic algorithms, and their secure development and coding
practices are a function of the quality of their programmers, not the country they happen to be
living in.
With regard to backdoors, both Germany (with 113 products) and the Netherlands (with 20
products) have both publicly disavowed backdoors in encryption products. Another two
countries—the United Kingdom (with 54 products) and France (with 41 encryption products)—
seem very interested in legally mandating backdoors.

Jurisdictional Agility of Encryption Products
Most products were easy to associate with a particular country, especially commercial products.
Companies are incorporated in a country. With free and open-source projects, this association
can be more difficult to establish. Some products are developed and maintained by an
international team without any clear leader. Some product developers go out of their way to hide
their national origins. Belize, the British Virgin Islands, and St. Kitts and Nevis are tax and
anonymity havens; the fact that a domain or corporation is hosted or incorporated there doesn’t
guarantee that that’s where the developer is actually from. Finally, our survey includes 16
products where we could not identify the country of origin.
Some products’ source code is redundantly stored on servers in different countries around the
world. This code can often be easily forked, which means that multiple versions can exist
simultaneously. This happened with TrueCrypt. The open-source encryption program was
discontinued by its anonymous developers in 2014. At this time, at least three forks of the
program—from three different countries—continue: VeraCrypt in France, CipherShed in
Germany, and ZuluCrypt in Tanzania. (A simple search of GitHub yields 182 projects that
include internal TrueCrypt copies, but we don’t know how many of them are actual finished
products. We don’t know whether the code is included for posterity, reference, or actual
modified inclusion. We don’t know what countries most of these projects are based in, either.)
Some products implemented as services exist on multiple servers, in multiple countries,
simultaneously.
Additionally, many encryption products—especially free and open-source products that are not
designed with profit in mind—can easily move their product to another country. Informal
international teams will be able to change the home country of their projects. Smaller companies
will be able to re-incorporate in an another country. Silent Circle, for example, moved its
corporate headquarters from the US to Switzerland in 2014.

Comparisons with the 1999 Survey
We were surprised by how different the products were between the current survey and the 1999
survey. We attribute this to the fast-moving nature of the Internet in general, and not to
4

anything about encryption in particular. Many things about the companies that sell computer,
network, and information technologies has changed in those 17 years.
The cryptography world has changed considerably since 1999. In part due to the spread of
computer-science curricula, there are more people knowledgeable about cryptography—and
they come from all over the world. Additionally, there are more books and websites that teach
cryptography, and more easily available cryptography libraries that can be used to build
encryption products.
The IT world has also changed significantly since 1999. Many of the products in the 1999 survey
were not described on the Internet, and most were only available by mail. Today, almost
everything is comprehensively described on the Internet, and almost all software is available for
either paid or free download. This means that it is easier for users to obtain encryption products,
no matter where they are in the world. We believe this internationalization is why there are
fewer encryption products today than there were in 1999.

Implications for US Policy
Currently in the US, UK, and other countries, there are policy discussions about mandatory
backdoors in encryption products. Law enforcement is the impetus behind these discussions;
they claim that they are “going dark” and unable to decrypt either communications or data in
storage [Com14]. Security researchers have long argued that such backdoors are impossible to
implement securely, and will result in substandard security for everyone [AA+15]. Others argue
that going dark is the wrong metaphor, and that many avenues for surveillance remain [GG+16].
Our research points to a different argument. Proposed mandatory backdoors have always been
about modifying the encryption products used by everyone to eavesdrop on the few bad guys.
That is, the FBI wants Apple—for example—to ensure that everyone’s iPhone can be decrypted
on demand so the FBI can decrypt the phones of the very few users under FBI investigation.
For this to be effective, those people using encryption to evade law enforcement must use Apple
products. If they are able to use alternative encryption products, especially products created and
distributed in countries that are not subject to US law, they will naturally switch to those
products if Apple’s security weaknesses become known.
Our survey demonstrates that such switching is easy. Anyone who wants to evade an encryption
backdoor in US or UK encryption products has a wide variety of foreign products they can use
instead: to encrypt their hard drives, voice conversations, chat sessions, VPN links, and
everything else. Any mandatory backdoor will be ineffective simply because the marketplace is
so international. Yes, it will catch criminals who are too stupid to realize that their security
products have been backdoored or too lazy to switch to an alternative, but those criminals are
likely to make all sorts of other mistakes in their security and be catchable anyway. The smart
criminals that any mandatory backdoors are supposed to catch—terrorists, organized crime, and
so on—will easily be able to evade those backdoors. Even if a criminal has to use, for example, a
US encryption product for communicating with the world at large, it is easy for him to also use a
non-US non-backdoored encryption product for communicating with his compatriots.
The US produces the most products that use encryption, and also the most widely used
products. Any US law mandating backdoors will primarily affect people who are unconcerned
about government surveillance, or at least unconcerned enough to make the switch. These
people will be left vulnerable to abuse of those backdoors by cybercriminals and other
governments.
5

Conclusions
Laws regulating product features are national, and only affect people living in the countries in
which they’re enacted. It is easy to purchase products, especially software products, that are sold
anywhere in the world from everywhere in the world. Encryption products come from all over
the world. Any national law mandating encryption backdoors will overwhelmingly affect the
innocent users of those products. Smart criminals and terrorists will easily be able to switch to
more-secure alternatives.

Further Work
As we said previously, we know this list is incomplete. It is our hope that readers will be able to
fill in whatever blanks remain, and offer more suggestions for products and companies,
especially those outside the US.
Additionally, it would be instructive to list the specific encryption algorithms used by these
products, and whether their marketing specifically references either NSA surveillance or any
laws mandating that companies put backdoors in their products.

Appendix
The following table is a complete listing of all encryption products we found, both domestic and foreign. Although we have tried to be
comprehensive and accurate, we cannot guarantee that this information is either complete or error-free.
If anyone knows of any additions, or notices any errors, please notify the authors at schneier@schneier.com.
The most current version of this table is available as an Excel spreadsheet at https://www.schneier.com/cryptography/paperfiles/worldwideencryption-product-survey-data.xls, and as a .csv file at https://www.schneier.com/cryptography/paperfiles/worldwide-encryption-product-surveydata.csv. The spreadsheet contains additional information, including notes on each product listed and a list of products we found but decided should
not be included in this list.
Explanation of fields:
Country: The country in which the company or programmers are based. In some cases this is misleading, as many development teams are
international. Some teams deliberately hide their nation of origin. These products are market as “unknown.”
Product Name: The name of the encryption product.
Company: The name of the company that sells or distributes the product, if one exists.
Type: The type of encryption product. There are many different types of encryption products, including e-mail encryption, message encryption, file
encryption, encrypted currency, and so on. For products that don’t neatly categorize, we have made our best guess.
Platforms: The operating system or browser that the product works under. Some products work on multiple platforms.
HW/SW: Whether the product is hardware or software.
Cost: Whether the product is commercial or available for free.
PR/OS: Whether the product’s code is proprietary or open source.
URL: The URL of the product.

Country
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
United Kingdom
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
unknown
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States

Country
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States

Country
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States

Country
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States

Country
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States

Country
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States
United States